Pat-plone-modal and "Cross-Origin Request Blocked" errors

agitator · August 3, 2017, 3:44pm

<a class="pat-plone-modal" data-pat-plone-modal="width: 75%; content: #page; title: ;" href="https://api.easytemp.ch/live/ins/10897605491079789220.html" target="_blank">
    <div class="col titel">Metallbauer (w/m)</div>
</a>

I'm trying to load a job advert with pat-plone-modal from a different domain than the host, but keep getting "Cross-Origin Request Blocked" errors.

So I tried to setHeaders within the update method of the viewlet

response.setHeader("Access-Control-Allow-Origin", "https://api.easytemp.ch/")
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, X-Range, Range, Content-Type, Accept, Access-Control-Allow-Headers")

The headers are shown as response headers in the network tab, but still no luck...
What am I missing?

Peter

ebrehault · August 3, 2017, 4:06pm

Unfortunately, that's the other way around: that's your domain which must be allowed by the api.easytemp.ch server.
So you can only do that if you do manage this server.

agitator · August 3, 2017, 4:21pm

Bummer...
Thought it's about users security, so that I have to allow the request for the users browser.

Thanx for clearing that!

agitator · August 3, 2017, 4:32pm

Can you explain why I'm able to access those resources via urllib or browser then?

ebrehault · August 3, 2017, 9:11pm

That depends on the CORS policy defined by the server.
The server might accept regular visitor but forbid AJAX call (that's the case with api.easytemp.ch).
Similarly it could accept image src call, but not iframe call, etc.
Or you can decide to accept AJAX calls from www.easytemp.ch but not any other domain.
You can configure whatever you want in the server vhost.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS if you need more details.

agitator · August 4, 2017, 5:56am

Thanx!